EDR events sent to Splunk contain duplicate field data
search cancel

EDR events sent to Splunk contain duplicate field data

book

Article ID: 213505

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

While reviewing Symantec Endpoint Detection and Response (SEDR) events in Splunk it is noted that several fields contain duplicated data similar to the example below.

Environment

Release :

Component :

Cause

This behavior is by design.

Resolution

In order to normalize data sent to Splunk, the SEDR appliance was designed to utilize the Splunk CIM.  To permit troubleshooting of event transformations, the SEDR appliance provides both the raw event and normalized event data to Splunk.

Additional Information

Why CIM Exists:
https://docs.splunk.com/Documentation/CIM/4.18.1/User/Overview#Why_the_CIM_exists

Fields for Intrusion Detection event datasets
https://docs.splunk.com/Documentation/CIM/4.18.1/User/IntrusionDetection#Fields_for_Intrusion_Detection_event_datasets

Powered by Wolken Software